Search Again

Cobalt

Get Free Access to Insights

Summary of Actor:Cobalt, also known as Cobalt Group or Cobalt Gang, is a cybercriminal group primarily known for its bank heists and financially motivated attacks. The group has been active since at least 2016 and is notorious for its sophisticated malware and tactics that target financial institutions globally.

General Features:Cobalt is known for its use of spear-phishing emails to deliver malicious payloads. The group primarily targets banking institutions, ATMs, and financial entities, using custom malware and sophisticated hacking techniques to steal funds. They have been linked to numerous high-profile cyber heists.

Related Other Groups: Carbanak,FIN7

Indicators of Attack (IoA):

  • Spear-phishing emails
  • Use of custom malware such as Cobalt Strike
  • Credential theft
  • Lateral movement within networks

Recent Activities and Trends:

  • Latest Campaigns : The latest campaigns by Cobalt involve the use of phishing emails with malicious attachments that exploit vulnerabilities in Microsoft Office. These campaigns focus on financial institutions in various regions, particularly targeting banks' internal networks.
  • Emerging Trends : Cobalt has been seen leveraging more zero-day exploits and increasingly using living-off-the-land techniques to avoid detection. They are also shifting towards targeting cryptocurrency exchanges and blockchain-related financial entities.

...

Also Known As:

Mule Libra

ATK 67

Cobalt Gang

Cobalt Spider

Gold Kingswood

+2

Target Countries

Kazakhstan

Turkey

Romania

Spain

Czech

+26


Target Sectors

Retail

Finance

Electrical&Electronical Manufacturing


Associated Malware/Software

LNK

SDelete

win.lokipws

More_eggs

Mimikatz

+15


️Related CVEs

ATT&CK IDs:

T1037

T1505 - Server Software Component

T1550

T1136 - Create Account

T1486 - Data Encrypted for Impact

+212

Tactic Id Technique
Collection T1056 Input Capture

Sub Techniques

Detections

Mitigations

Collection T1123 Audio Capture

Sub Techniques

Detections

Mitigations

Collection T1005 Data from Local System

Sub Techniques

Detections

Mitigations

Collection T1530 Data from Cloud Storage

Sub Techniques

Detections

Mitigations

Collection T1074 Data Staged

Sub Techniques

Detections

Mitigations

Collection T1560 Archive Collected Data

Sub Techniques

Detections

Mitigations

Collection T1114 Email Collection

Sub Techniques

Detections

Mitigations

Collection T1113 Screen Capture

Sub Techniques

Detections

Mitigations

Collection T1115 Clipboard Data

Sub Techniques

Detections

Mitigations

Collection T1039 Data from Network Shared Drive

Sub Techniques

Detections

Mitigations

Collection T1185 Browser Session Hijacking

Sub Techniques

Detections

Mitigations

Collection T1119 Automated Collection

Sub Techniques

Detections

Mitigations

Command And Control T1132 Data Encoding

Sub Techniques

Detections

Mitigations

Command And Control T1571 Non-Standard Port

Sub Techniques

Detections

Mitigations

Command And Control T1008 Fallback Channels

Sub Techniques

Detections

Mitigations

Command And Control T1090 Proxy

Sub Techniques

Detections

Mitigations

Command And Control T1105 Ingress Tool Transfer

Sub Techniques

Detections

Mitigations

Command And Control T1071 Application Layer Protocol

Sub Techniques

Detections

Mitigations

Command And Control T1219 Remote Access Software

Sub Techniques

Detections

Mitigations

Command And Control T1043 Commonly Used Port

Sub Techniques

Detections

Mitigations

Command And Control T1095 Non-Application Layer Protocol

Sub Techniques

Detections

Mitigations

Command And Control T1102 Web Service

Sub Techniques

Detections

Mitigations

Command And Control T1572 Protocol Tunneling

Sub Techniques

Detections

Mitigations

Command And Control T1001 Data Obfuscation

Sub Techniques

Detections

Mitigations

Command And Control T1094 Custom Command and Control Protocol

Sub Techniques

Detections

Mitigations

Command And Control T1573 Encrypted Channel

Sub Techniques

Detections

Mitigations

Credential Access T1056 Input Capture

Sub Techniques

Detections

Mitigations

Credential Access T1003 OS Credential Dumping

Sub Techniques

Detections

Mitigations

Credential Access T1555 Credentials from Password Stores

Sub Techniques

Detections

Mitigations

Credential Access T1081 Credentials in Files

Sub Techniques

Detections

Mitigations

Credential Access T1558 Steal or Forge Kerberos Tickets

Sub Techniques

Detections

Mitigations

Credential Access T1539 Steal Web Session Cookie

Sub Techniques

Detections

Mitigations

Credential Access T1110 Brute Force

Sub Techniques

Detections

Mitigations

Credential Access T1552 Unsecured Credentials

Sub Techniques

Detections

Mitigations

Credential Access T1187 Forced Authentication

Sub Techniques

Detections

Mitigations

Credential Access T1503 Credentials from Web Browsers

Sub Techniques

Detections

Mitigations

Defense Evasion T1130 Install Root Certificate

Sub Techniques

Detections

Mitigations

Defense Evasion T1574 Hijack Execution Flow

Sub Techniques

Detections

Mitigations

Defense Evasion T1085 Rundll32

Sub Techniques

Detections

Mitigations

Defense Evasion T1127 Trusted Developer Utilities Proxy Execution

Sub Techniques

Detections

Mitigations

Defense Evasion T1112 Modify Registry

Sub Techniques

Detections

Mitigations

Defense Evasion T1055 Process Injection

Sub Techniques

Detections

Mitigations

Defense Evasion T1070 Indicator Removal

Sub Techniques

Detections

Mitigations

Defense Evasion T1140 Deobfuscate/Decode Files or Information

Sub Techniques

Detections

Mitigations

Defense Evasion T1036 Masquerading

Sub Techniques

Detections

Mitigations

Defense Evasion T1078 Valid Accounts

Sub Techniques

Detections

Mitigations

Defense Evasion T1550 Use Alternate Authentication Material

Sub Techniques

Detections

Mitigations

Defense Evasion T1548 Abuse Elevation Control Mechanism

Sub Techniques

Detections

Mitigations

Defense Evasion T1601 Modify System Image

Sub Techniques

Detections

Mitigations

Defense Evasion T1107 File Deletion

Sub Techniques

Detections

Mitigations

Defense Evasion T1564 Hide Artifacts

Sub Techniques

Detections

Mitigations

Defense Evasion T1220 XSL Script Processing

Sub Techniques

Detections

Mitigations

Defense Evasion T1497 Virtualization/Sandbox Evasion

Sub Techniques

Detections

Mitigations

Defense Evasion T1170 Mshta

Sub Techniques

Detections

Mitigations

Defense Evasion T1027 Obfuscated Files or Information

Sub Techniques

Detections

Mitigations

Defense Evasion T1562 Impair Defenses

Sub Techniques

Detections

Mitigations

Defense Evasion T1553 Subvert Trust Controls

Sub Techniques

Detections

Mitigations

Defense Evasion T1218 System Binary Proxy Execution

Sub Techniques

Detections

Mitigations

Defense Evasion T1134 Access Token Manipulation

Sub Techniques

Detections

Mitigations

Discovery T1135 Network Share Discovery

Sub Techniques

Detections

Mitigations

Discovery T1012 Query Registry

Sub Techniques

Detections

Mitigations

Discovery T1124 System Time Discovery

Sub Techniques

Detections

Mitigations

Discovery T1082 System Information Discovery

Sub Techniques

Detections

Mitigations

Discovery T1033 System Owner/User Discovery

Sub Techniques

Detections

Mitigations

Discovery T1482 Domain Trust Discovery

Sub Techniques

Detections

Mitigations

Discovery T1217 Browser Information Discovery

Sub Techniques

Detections

Mitigations

Discovery T1083 File and Directory Discovery

Sub Techniques

Detections

Mitigations

Discovery T1018 Remote System Discovery

Sub Techniques

Detections

Mitigations

Discovery T1049 System Network Connections Discovery

Sub Techniques

Detections

Mitigations

Discovery T1614 System Location Discovery

Sub Techniques

Detections

Mitigations

Discovery T1087 Account Discovery

Sub Techniques

Detections

Mitigations

Discovery T1497 Virtualization/Sandbox Evasion

Sub Techniques

Detections

Mitigations

Discovery T1007 System Service Discovery

Sub Techniques

Detections

Mitigations

Discovery T1518 Software Discovery

Sub Techniques

Detections

Mitigations

Discovery T1016 System Network Configuration Discovery

Sub Techniques

Detections

Mitigations

Discovery T1057 Process Discovery

Sub Techniques

Detections

Mitigations

Discovery T1046 Network Service Discovery

Sub Techniques

Detections

Mitigations

Discovery T1069 Permission Groups Discovery

Sub Techniques

Detections

Mitigations

Discovery T1120 Peripheral Device Discovery

Sub Techniques

Detections

Mitigations

Execution T1559 Inter-Process Communication

Sub Techniques

Detections

Mitigations

Execution T1085 Rundll32

Sub Techniques

Detections

Mitigations

Execution T1059 Command and Scripting Interpreter

Sub Techniques

Detections

Mitigations

Execution T1203 Exploitation for Client Execution

Sub Techniques

Detections

Mitigations

Execution T1047 Windows Management Instrumentation

Sub Techniques

Detections

Mitigations

Execution T1053 Scheduled Task/Job

Sub Techniques

Detections

Mitigations

Execution T1204 User Execution

Sub Techniques

Detections

Mitigations

Execution T1106 Native API

Sub Techniques

Detections

Mitigations

Execution T1170 Mshta

Sub Techniques

Detections

Mitigations

Execution T1569 System Services

Sub Techniques

Detections

Mitigations

Exfiltration T1048 Exfiltration Over Alternative Protocol

Sub Techniques

Detections

Mitigations

Exfiltration T1567 Exfiltration Over Web Service

Sub Techniques

Detections

Mitigations

Exfiltration T1020 Automated Exfiltration

Sub Techniques

Detections

Mitigations

Exfiltration T1030 Data Transfer Size Limits

Sub Techniques

Detections

Mitigations

Exfiltration T1041 Exfiltration Over C2 Channel

Sub Techniques

Detections

Mitigations

Exfiltration T1011 Exfiltration Over Other Network Medium

Sub Techniques

Detections

Mitigations

Exfiltration T1029 Scheduled Transfer

Sub Techniques

Detections

Mitigations

Impact T1529 System Shutdown/Reboot

Sub Techniques

Detections

Mitigations

Impact T1490 Inhibit System Recovery

Sub Techniques

Detections

Mitigations

Impact T1485 Data Destruction

Sub Techniques

Detections

Mitigations

Impact T1531 Account Access Removal

Sub Techniques

Detections

Mitigations

Impact T1561 Disk Wipe

Sub Techniques

Detections

Mitigations

Impact T1498 Network Denial of Service

Sub Techniques

Detections

Mitigations

Impact T1489 Service Stop

Sub Techniques

Detections

Mitigations

Impact T1486 Data Encrypted for Impact

Sub Techniques

Detections

Mitigations

Initial Access T1190 Exploit Public-Facing Application

Sub Techniques

Detections

Mitigations

Initial Access T1566 Phishing

Sub Techniques

Detections

Mitigations

Initial Access T1189 Drive-by Compromise

Sub Techniques

Detections

Mitigations

Initial Access T1078 Valid Accounts

Sub Techniques

Detections

Mitigations

Initial Access T1133 External Remote Services

Sub Techniques

Detections

Mitigations

Initial Access T1195 Supply Chain Compromise

Sub Techniques

Detections

Mitigations

Initial Access T1199 Trusted Relationship

Sub Techniques

Detections

Mitigations

Lateral Movement T1021 Remote Services

Sub Techniques

Detections

Mitigations

Lateral Movement T1097 Pass the Ticket

Sub Techniques

Detections

Mitigations

Lateral Movement T1563 Remote Service Session Hijacking

Sub Techniques

Detections

Mitigations

Lateral Movement T1570 Lateral Tool Transfer

Sub Techniques

Detections

Mitigations

Lateral Movement T1550 Use Alternate Authentication Material

Sub Techniques

Detections

Mitigations

Persistence T1546 Event Triggered Execution

Sub Techniques

Detections

Mitigations

Persistence T1574 Hijack Execution Flow

Sub Techniques

Detections

Mitigations

Persistence T1547 Boot or Logon Autostart Execution

Sub Techniques

Detections

Mitigations

Persistence T1060 Registry Run Keys / Startup Folder

Sub Techniques

Detections

Mitigations

Persistence T1505 Server Software Component

Sub Techniques

Detections

Mitigations

Persistence T1176 Browser Extensions

Sub Techniques

Detections

Mitigations

Persistence T1137 Office Application Startup

Sub Techniques

Detections

Mitigations

Persistence T1136 Create Account

Sub Techniques

Detections

Mitigations

Persistence T1053 Scheduled Task/Job

Sub Techniques

Detections

Mitigations

Persistence T1078 Valid Accounts

Sub Techniques

Detections

Mitigations

Persistence T1133 External Remote Services

Sub Techniques

Detections

Mitigations

Persistence T1098 Account Manipulation

Sub Techniques

Detections

Mitigations

Persistence T1037 Boot or Logon Initialization Scripts

Sub Techniques

Detections

Mitigations

Persistence T1543 Create or Modify System Process

Sub Techniques

Detections

Mitigations

Privilege Escalation T1546 Event Triggered Execution

Sub Techniques

Detections

Mitigations

Privilege Escalation T1574 Hijack Execution Flow

Sub Techniques

Detections

Mitigations

Privilege Escalation T1547 Boot or Logon Autostart Execution

Sub Techniques

Detections

Mitigations

Privilege Escalation T1068 Exploitation for Privilege Escalation

Sub Techniques

Detections

Mitigations

Privilege Escalation T1055 Process Injection

Sub Techniques

Detections

Mitigations

Privilege Escalation T1053 Scheduled Task/Job

Sub Techniques

Detections

Mitigations

Privilege Escalation T1078 Valid Accounts

Sub Techniques

Detections

Mitigations

Privilege Escalation T1548 Abuse Elevation Control Mechanism

Sub Techniques

Detections

Mitigations

Privilege Escalation T1098 Account Manipulation

Sub Techniques

Detections

Mitigations

Privilege Escalation T1134 Access Token Manipulation

Sub Techniques

Detections

Mitigations

Privilege Escalation T1037 Boot or Logon Initialization Scripts

Sub Techniques

Detections

Mitigations

Privilege Escalation T1543 Create or Modify System Process

Sub Techniques

Detections

Mitigations

Reconnaissance T1592 Gather Victim Host Information

Sub Techniques

Detections

Mitigations

Reconnaissance T1595 Active Scanning

Sub Techniques

Detections

Mitigations

Resource Development T1588 Obtain Capabilities

Sub Techniques

Detections

Mitigations

Resource Development T1587 Develop Capabilities

Sub Techniques

Detections

Mitigations

Resource Development T1583 Acquire Infrastructure

Sub Techniques

Detections

Mitigations

Total Count : 907

https://info.spamhaus.com/hubfs/Botnet%20Reports/Jan-Jun%202024%20Botnet%20Threat%20Update.pdf
https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot
https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html
https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam
http://www.secureworks.com/research/threat-profiles/gold-evergreen
https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/
https://unit42.paloaltonetworks.com/atoms/obscureserpens/
https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
https://www.youtube.com/watch?v=EyDiIAt__dI
https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/
https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/
https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf
https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/
https://web.br.de/interaktiv/ocean-lotus/en/
https://twitter.com/felixw3000/status/1521816045769662468
https://blog.talosintelligence.com/2018/06/my-little-formbook.html
https://forensicitguy.github.io/analyzing-cactustorch-hta-cobaltstrike/
https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/
https://www.netscout.com/blog/asert/double-infection-double-fun
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta
https://isc.sans.edu/diary/rss/27176
https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Staubmann-Busy-Bees.pptx
https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html
https://www.group-ib.com/blog/renaissance
https://www.riskiq.com/blog/labs/cobalt-strike/
https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html
https://www.qurium.org/alerts/targeted-malware-against-crph/
https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/
https://www.bleepingcomputer.com/news/security/cisa-updates-conti-ransomware-alert-with-nearly-100-domain-names/
https://thedfirreport.com/2022/03/07/2021-year-in-review/
https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c
https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md
https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus
https://isc.sans.edu/diary/rss/28752
https://www.youtube.com/watch?v=ysN-MqyIN7M
https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-gootloader-unleashed/
https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
https://go.recordedfuture.com/hubfs/reports/cta-2022-0118.pdf
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/earth-baku-returns
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://embee-research.ghost.io/unpacking-malware-with-hardware-breakpoints-cobalt-strike/
https://github.com/infinitumitlabs/Karakurt-Hacking-Team-CTI
https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/
https://twitter.com/AltShiftPrtScn/status/1350755169965924352
https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/
https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
https://blog.nviso.eu/2021/10/21/cobalt-strike-using-known-private-keys-to-decrypt-traffic-part-1/
https://blog.securityonion.net/2022/02/quick-malware-analysis-emotet-epoch-5.html
https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/
https://intel471.com/blog/conti-emotet-ransomware-conti-leaks
https://intel471.com/blog/shipping-companies-ransomware-credentials
https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/
https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://github.com/Apr4h/CobaltStrikeScan
https://phishme.com/loki-bot-malware/
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf
https://redcanary.com/blog/getsystem-offsec/
https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/
https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
https://www.trendmicro.com/en_us/research/20/i/u-s--justice-department-charges-apt41-hackers-over-global-cyberattacks.html
https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf
https://securelist.com/apt-trends-report-q3-2020/99204/
https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv
https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html
https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
https://r136a1.info/2022/05/25/introduction-of-a-pe-file-extractor-for-various-situations/
https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/
https://www.uperesia.com/analysis-of-a-packed-pony-downloader
https://censys.com/a-beginners-guide-to-tracking-malware-infrastructure/
https://www.knowbe4.com/pony-stealer
https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/
https://blog.prevailion.com/wizard-spider-continues-to-confound-4298370f6903
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://www.tgsoft.it/news/news_archivio.asp?id=1568
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
https://www.secureworks.com/research/threat-profiles/bronze-president
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id3
https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/
https://twitter.com/TheDFIRReport/status/1359669513520873473
https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/
https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/
https://www.trendmicro.com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit.html
https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel
https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-beacons/
https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
https://cocomelonc.github.io/malware/2023/05/11/malware-tricks-28.html
https://paper.seebug.org/1301/
https://www.inde.nz/blog/different-kind-of-zoombomb
https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/
https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malware-and-the-loader-of-a-ransomware-group-isaacwiper-vs-vatet/
https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html
https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire
https://www.lac.co.jp/lacwatch/report/20220307_002893.html
https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors
https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b
https://twitter.com/Unit42_Intel/status/1461004489234829320
https://community.riskiq.com/article/c88cf7e6
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos
https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/
https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/
https://asec.ahnlab.com/en/47455/
https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/
https://www.fortinet.com/blog/threat-research/the-year-of-the-wiper
https://www.malware-traffic-analysis.net/2021/09/17/index.html
https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads
https://censys.com/a-beginners-guide-to-hunting-open-directories/
https://ak100117.medium.com/analyzing-cobalt-strike-powershell-payload-64d55ed3521b
https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros
https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf
https://blog.fox-it.com/2023/11/01/popping-blisters-for-research-an-overview-of-past-payloads-and-exploring-recent-developments/
https://www.esentire.com/blog/icedid-to-cobalt-strike-in-under-20-minutes
https://embee-research.ghost.io/decoding-a-cobalt-strike-vba-loader-with-cyberchef/
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf
https://info.spamhaus.com/hubfs/Botnet%20Reports/Q4%202023%20Botnet%20Threat%20Update.pdf
https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q3%20Botnet%20Threat%20Update.pdf
https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf
https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/
https://isc.sans.edu/forums/diary/Emotet%20infection%20with%20Cobalt%20Strike/28824/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://blog.cyble.com/2022/05/20/malware-campaign-targets-infosec-community-threat-actor-uses-fake-proof-of-concept-to-deliver-cobalt-strike-beacon/
http://reversing.fun/posts/2021/06/08/lokibot.html
https://www.truesec.com/hub/blog/proxyshell-qbot-and-conti-ransomware-combined-in-a-series-of-cyber-attacks
https://www.zscaler.com/blogs/security-research/onenote-growing-threat-malware-distribution
https://redcanary.com/wp-content/uploads/2022/05/Gootloader.pdf
https://www.elastic.co/security-labs/grimresource
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
https://www.ironnet.com/blog/ransomware-graphic-blog
https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself
https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/
https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html
https://attackiq.com/2022/06/03/attack-graph-response-to-us-cert-aa22-152a-karakurt-data-extortion-group/
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
https://www.trendmicro.com/en_us/research/21/k/Squirrelwaffle-Exploits-ProxyShell-and-ProxyLogon-to-Hijack-Email-Chains.html
https://embeeresearch.io/shodan-censys-queries/
https://blog.talosintelligence.com/2021/11/attackers-use-domain-fronting-technique.html
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf
https://explore.group-ib.com/htct/hi-tech_crime_2018
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack
https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf
https://vanmieghem.io/blueprint-for-evading-edr-in-2022/
https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
https://twitter.com/swisscom_csirt/status/1354052879158571008
https://www.cybereason.com/blog/threat-analysis-report-datoploader-exploits-proxyshell-to-deliver-qbot-and-cobalt-strike
https://www.secureworks.com/research/threat-profiles/gold-dupont
https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/
https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/
https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
https://www.mandiant.com/resources/unc2452-merged-into-apt29
https://www.atomicmatryoshka.com/post/malware-headliners-lokibot
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://asec.ahnlab.com/ko/19640/
https://www.malwarebytes.com/blog/threat-intelligence/2022/20221121-threat-intel-report-final.pdf
https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/
https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility/
https://twitter.com/elisalem9/status/1398566939656601606
https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/
https://blog.morphisec.com/vmware-identity-manager-attack-backdoor
https://isc.sans.edu/diary/rss/28664
https://msrc.microsoft.com/blog/2022/10/hunting-for-cobalt-strike-mining-and-plotting-for-fun-and-profit/
https://www.europol.europa.eu/newsroom/news/12-targeted-for-involvement-in-ransomware-attacks-against-critical-infrastructure
https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/
https://www.bitsight.com/blog/emotet-botnet-rises-again
https://youtu.be/_VZCocEFHgk?feature=shared
https://community.riskiq.com/article/0bcefe76
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks
https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/
https://securelist.com/apt-luminousmoth/103332/
https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-exposing-malware-in-linux-based-multi-cloud-environments.pdf
https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://stillu.cc/threat-spotlight/2021/11/13/domain-fronting-fastly/
https://www.accenture.com/us-en/blogs/security/ransomware-hades
https://www.prevailion.com/what-wicked-webs-we-unweave/
https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/
https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf
https://github.com/sophos-cybersecurity/solarwinds-threathunt
https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/
https://www.sentinelone.com/blog/bluesky-ransomware-ad-lateral-movement-evasion-and-fast-encryption-puts-threat-on-the-radar/
https://www.trellix.com/en-us/about/newsroom/stories/research/cyberattacks-targeting-ukraine-increase.html
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf
https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/
https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html
https://security.macnica.co.jp/blog/2022/05/iso.html
https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
https://www.advintel.io/post/blackcat-in-a-shifting-threat-landscape-it-helps-to-land-on-your-feet-tech-dive
https://isc.sans.edu/diary/28636
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://youtu.be/aQwnHIlGSBM
https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html
https://cert.gov.ua/article/619229
https://twitter.com/Cryptolaemus1/status/1407135648528711680
https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love
https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_nobelium_2022_v1.pdf
https://cert.gov.ua/article/955924
https://info.spamhaus.com/hubfs/Botnet%20Reports/2023%20Q2%20Botnet%20Threat%20Update.pdf
https://www.macnica.net/file/mpression_automobile.pdf
https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html
https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20
https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/
https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/
https://www.mandiant.com/resources/defining-cobalt-strike-components
https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/
https://www.youtube.com/watch?v=gfYswA_Ronw
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry
https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
https://bmcder.com/blog/extracting-cobalt-strike-from-windows-error-reporting
https://www.zscaler.com/blogs/security-research/analysis-xloaders-c2-network-encryption
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/FormBook/FormBook.md
https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/
https://research.loginsoft.com/threat-research/from-innocence-to-malice-the-onenote-malware-campaign-uncovered/
https://isc.sans.edu/diary/26752
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021
https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk
https://www.kroll.com/en/insights/publications/cyber/royal-ransomware-deep-dive
https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims
https://malcat.fr/blog/lnk-forensic-and-config-extraction-of-a-cobalt-strike-beacon/
http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html
https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811
https://intel471.com/blog/a-brief-history-of-ta505
https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/
https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/
https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf
https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage
https://d01a.github.io/syscalls/
https://unit42.paloaltonetworks.com/atoms/mulelibra/
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
https://www.secureworks.com/research/threat-profiles/gold-kingswood
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
http://www.secureworks.com/research/threat-profiles/gold-winter
https://thedfirreport.com/2022/04/25/quantum-ransomware/
https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/
https://www.ic3.gov/Media/News/2021/210823.pdf
https://www.youtube.com/watch?v=N0wAh26wShE
https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
https://lab52.io/blog/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users/
https://medium.com/walmartglobaltech/signed-dll-campaigns-as-a-service-7760ac676489
https://malware-traffic-analysis.net/2021/09/29/index.html
https://www.ironnet.com/blog/tracking-cobalt-strike-servers-used-in-cyberattacks-on-ukraine
https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-powershell-proxyshell-conti-ttps-oh-my
https://blog.talosintelligence.com/2021/10/squirrelwaffle-emerges.html
https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#
https://www.welivesecurity.com/2022/04/13/eset-takes-part-global-operation-disrupt-zloader-botnets/
https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718
https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/
https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html
https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://www.cybercom.mil/Media/News/Article/3098856/cyber-national-mission-force-discloses-iocs-from-ukrainian-networks/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/
https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
https://www.cynet.com/attack-techniques-hands-on/quakbot-strikes-with-quaknightmare-exploitation/
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_7_hara_shoji_higashi_vickie-su_nick-dai_en.pdf
https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://www.arashparsa.com/catching-a-malware-with-no-name/
https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
https://us-cert.cisa.gov/ncas/alerts/aa21-148a
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/
https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf
https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought
https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware
https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-transnaczionalne-zlochinne-ugrupovannya-u-nanesenni-inozemnim-kompaniyam-120-miljoniv-dolariv-zbitkiv/
https://www.secureworks.com/research/darktortilla-malware-analysis
https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a